silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,055
A massive proxy botnet is just the tip of the iceberg, a warning sign of a bigger operation in the works by the Ramnit operators.
The recently uncovered “Black” botnet campaign using the Ramnit malware racked up 100,000 infections in the two months through July– but the offensive could just be a precursor to a much larger attack coming down the pike, according to researchers, thanks to a second-stage malware called Ngioweb.
Check Point Research said that the actors behind the Black botnet are mainly working on creating a network of malicious proxy servers; infected machines that together operate as a high-centralized botnet, “though its architecture implies division into independent botnets.”
In the Black operation, Ramnit malware, which is likely being distributed via spam campaigns, according to Check Point, is merely a first-stage malware. Ramnit has extensive information exfiltration capabilities stemming from its heritage as a banking trojan; but it also backdoors infected machines. In this case, it sets up a path for a malware called Ngioweb, marking a new chapter for the venerable old code, first seen in 2010.
“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” Check Point researchers explained in an analysis of the campaign posted on Sunday. “The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”